Tomcat — контейнер сервлетов с открытым исходным кодом
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 262
SUSE-SU-2023:1669-1
Security update for tomcat
GHSA-2c9m-w27f-53rm
Apache Tomcat vulnerable to Unprotected Transport of Credentials
CVE-2023-28708
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.
CVE-2023-28708
When using the RemoteIpFilter with requests received from a reverse ...
CVE-2023-28708
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.
CVE-2023-28708
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.
BDU:2025-10838
Уязвимость сервера приложений Apache Tomcat, связанная с отсутствием флага «Secure» в файлах cookie сеанса, позволяющая нарушителю получить доступ к конфиденциальной информации
GHSA-rq2w-37h9-vg94
Apache Tomcat improperly escapes input from JsonErrorReportValve
CVE-2022-45143
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
CVE-2022-45143
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | SUSE-SU-2023:1669-1 Security update for tomcat | 0% Низкий | почти 3 года назад | |
| GHSA-2c9m-w27f-53rm Apache Tomcat vulnerable to Unprotected Transport of Credentials | CVSS3: 4.3 | 0% Низкий | почти 3 года назад |
 | CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected. | CVSS3: 4.3 | 0% Низкий | почти 3 года назад |
| CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse ... | CVSS3: 4.3 | 0% Низкий | почти 3 года назад |
 | CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected. | CVSS3: 4.3 | 0% Низкий | почти 3 года назад |
 | CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected. | CVSS3: 4.3 | 0% Низкий | почти 3 года назад |
 | BDU:2025-10838 Уязвимость сервера приложений Apache Tomcat, связанная с отсутствием флага «Secure» в файлах cookie сеанса, позволяющая нарушителю получить доступ к конфиденциальной информации | CVSS3: 4.3 | 0% Низкий | почти 3 года назад |
| GHSA-rq2w-37h9-vg94 Apache Tomcat improperly escapes input from JsonErrorReportValve | CVSS3: 7.5 | 1% Низкий | около 3 лет назад |
| CVE-2022-45143 The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. | CVSS3: 7.5 | 1% Низкий | около 3 лет назад |
| CVE-2022-45143 The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and ... | CVSS3: 7.5 | 1% Низкий | около 3 лет назад |
Уязвимостей на страницу